Malicious Installers Impersonate Microsoft Teams and Google Meet, Spreading the Oyster Backdoor

The Oyster backdoor has emerged as one of the most insidious cybersecurity threats in recent memory, masquerading as legitimate downloads for widely used collaboration tools. In mid-November 2025, security teams at CyberProof detected a wave of fake Microsoft Teams and Google Meet installers that secretly deploy this stealthy malware onto victims’ computers. By exploiting techniques such as SEO poisoning and malvertising, cybercriminals have managed to reach professionals—especially those in the financial sector—seeking trusted software. This guide dives into the inner workings of the Oyster backdoor campaign, outlines its impact on corporate networks, and provides concrete steps you can take to safeguard your systems.

How the Oyster Backdoor Campaign Works

Behind every successful malware operation is a carefully orchestrated delivery mechanism. The Oyster backdoor campaign relies on search result manipulation and deceptive advertising to ensnare unsuspecting users. Below, we break down the two primary infection vectors that attackers leverage to spread the backdoor.

SEO Poisoning: Manipulating Search Results

SEO poisoning refers to the practice of optimizing malicious websites so they appear at the top of search engine results pages (SERPs). CyberProof researchers observed that fake download pages for Microsoft Teams and Google Meet ranked unusually high on Google and Bing during targeted queries like “Microsoft Teams download” and “Google Meet installer.” These spoofed sites mimic authentic domains by using slight misspellings or additional keywords in the URL, such as “microsoft-teems[dot]download” or “g-meet-setup[.]info.”

• Keyword stuffing: Attackers embed repetitive terms—like “Microsoft Teams,” “download,” and “security patch”—to trick search engine algorithms.
• Webpage cloaking: The page content dynamically changes based on visitor origin. Security researchers see a polished download page, while automated crawlers capture only innocuous code.
• Backlink farms: Malicious operators create dozens of interlinked sites that point to the fake installer page, boosting its apparent credibility in the eyes of search engines.

By hijacking high-intent queries, cybercriminals draw in IT professionals, accountants, and executives who are eager to install essential communication tools. Once on the fraudulent site, a single click unleashes the Oyster backdoor installer disguised as a genuine setup file.

Malvertising: The Hidden Dangers in Ads

Malvertising, or malicious advertising, supplements SEO poisoning by injecting malware into legitimate ad networks. Visitors to reputable websites can encounter deceptive banner ads that promise a “new and improved” version of Microsoft Teams or Google Meet. These advertisements redirect users to the same malicious domains identified in the SEO poisoning phase.

1. Ad network infiltration: Attackers purchase ad slots on high-traffic portals, ranging from tech blogs to mainstream news sites. Even secure platforms sometimes fail to thoroughly vet every ad creative.
2. Auto-redirect scripts: Upon clicking the malicious ad, users are immediately sent to a download page, often under a fraction of a second, limiting their ability to notice the URL mismatch.
3. Drive-by downloads: In some cases, the installer begins downloading automatically without user interaction, making it exceptionally difficult to abort the process.

Research indicates that malvertising campaigns deliver up to 30% of all observed Oyster backdoor payloads, underscoring the importance of scrutinizing online ads—no matter how legitimate they appear.

Anatomy of the Fake Installer

Understanding the structure and behavior of the fake installer sheds light on why the Oyster backdoor has proven so persistent. We explore how attackers disguise malicious payloads and the lengths they go to lend credibility to their threats.

Disguised as Popular Communication Tools

The current campaign features executable files named to resemble legitimate software. These include:

• MSTeamsSetup.exe: Presented as the official Microsoft Teams installer, it actually holds the malicious payload.
• GoogleMeetInstall.exe: Marketed as the standalone Google Meet application, this file conceals the hidden backdoor.
• TeamConnectSetup.exe: A less common variant purporting to bundle both Teams and Meet features.

Each file’s appearance is meticulously crafted. Icons match those of the genuine software, and installer dialogs display similar styling. Attackers even go as far as include fake progress bars and end-user license agreements (EULAs) to lull users into a false sense of security.

Use of Code-Signing Certificates

Code-signing certificates serve as digital stamps vouching for a file’s integrity and origin. To add legitimacy, Oyster backdoor distributors obtained certificates from small or obscure companies:

• LES LOGICIELS SYSTAMEX INC.
• Reach First Inc.
• S.N. ADVANCED SEWERAGE SOLUTIONS LTD.

Although these certificates have since been revoked, they granted the installers an elevated trust level on Windows systems. Users encountered fewer security warnings, thereby increasing the probability of installation. CyberProof data shows that over 70% of victims proceeded past the first Windows SmartScreen prompt when the installer appeared code-signed.

Persistence and Impact of the Backdoor

Once installed, the Oyster backdoor establishes a hidden foothold on the infected machine. Its design prioritizes stealth and ongoing access—allowing attackers to pivot to other parts of the network or deploy secondary payloads, such as ransomware or credential stealers.

Scheduled Tasks and Stealth Techniques

To achieve persistence, the fake installer drops a malicious Dynamic Link Library (DLL) named AlphaSecurity.dll into the user’s application data folder. Next, it registers a scheduled task titled “AlphaSecurity” using the Windows Task Scheduler:

“schtasks /create /sc minute /mo 18 /tn AlphaSecurity /tr ‘rundll32.exe C:\Users\Username\AppData\Roaming\AlphaSecurity.dll,EntryPoint’”

This setup ensures the backdoor launches every 18 minutes, regenerating communication channels with the attacker’s command-and-control (C2) servers. Even after system reboots, the scheduled task remains intact and reactivates automatically.

Additional stealth features include:

• Code obfuscation to hinder reverse engineering.
• Dynamic DNS to frequently change C2 endpoints.
• Encrypted communications based on TLS to blend in with normal network traffic.

Corporate Networks at Risk

The scope of this campaign extends far beyond personal devices. Financial institutions, professional services firms, and mid-sized enterprises form the primary targets. Once the Oyster backdoor is present, attackers can:

1. Harvest user credentials via phishing overlays.
2. Move laterally using tools like PsExec or Cobalt Strike.
3. Deploy ransomware variants—already seen in attacks by groups such as Rhysida.
4. Exfiltrate sensitive financial and intellectual property data.

According to a January 2026 Threat Intelligence report, over 15% of ransomware incidents investigated involved an initial compromise via the Oyster backdoor. This correlation highlights the backdoor’s role as a stepping stone for high-impact breaches.

Evolving Tactics and Timeline

This incident marks only the latest chapter in the Oyster backdoor’s evolution. From its first documented appearance in September 2023 to today’s sophisticated campaign, attackers have continually refined their methods to stay one step ahead of defenders.

Early Variants and Previous Campaigns

IBM X-Force first identified the Broomstick/CleanUpLoader backdoor in late 2023, noting its straightforward C2 communication and basic persistence mechanisms. In mid-2025, CyberProof researchers observed a shift: anti-forensic routines were added, and installers mimicked IT utilities like PuTTY and WinSCP.

• July 2025: Oyster payload distributed through fake PuTTY download pages.
• August 2025: Adversaries switched to WinSCP-branded installers.
• September–October 2025: Malvertising campaigns targeted remote work solutions.

Each new iteration demonstrated an increased emphasis on social engineering and operational security, making detection increasingly difficult.

Recent Surge Since November 2025

CyberProof’s November 2025 report indicates that the present wave of fake Microsoft Teams and Google Meet installers began slightly earlier than previously believed. Blackpoint Cyber corroborated these findings, adding that over 40 distinct domains were used in just three weeks.

“Multiple ransomware groups, including Rhysida, have ties to this threat cluster, and we anticipate its activities will intensify through 2026,” warned CyberProof in their latest analysis.

Temporal statistics highlight the campaign’s growth:

• November 2024–October 2025: ~120 unique malicious domains identified.
• November 2025 alone: 40 new domains hosting counterfeit installers.
• December 2025: 25% spike in reported incidents compared to the previous month.

These figures underscore the urgency of deploying robust defenses before attackers capitalize on holiday downtime and year-end financial transactions.

Protecting Yourself and Your Organization

Combatting the Oyster backdoor requires a multi-layered defense strategy. By blending user awareness with technical controls, organizations can significantly reduce the risk of infection and lateral movement within their networks.

Best Download Practices

1. Always use official sources. Navigate directly to microsoft.com or meet.google.com when acquiring communication tools.
2. Verify digital signatures. Right-click downloaded installers, select Properties, and confirm the signer matches the expected vendor.
3. Implement web filtering. Block known malicious domains and suspicious top-level domains (TLDs) at the DNS or firewall level.
4. Avoid pop-up ads. Never click on unsolicited banners or search result ads for software downloads. Use ad blockers where possible.

Security Measures and Tools

Beyond download etiquette, consider the following technical safeguards:

• Endpoint Detection and Response (EDR): Use advanced EDR solutions that can detect anomalous scheduled tasks and DLL injections.
• Email and web gateways: Deploy secure gateways with URL inspection to block malicious links in real time.
• Network segmentation: Limit lateral movement by segregating critical systems from user workstations.
• Regular threat hunting: Conduct periodic hunts for indicators of compromise, such as unknown scheduled tasks or unusual DNS requests.
• Patch management: Keep operating systems, browsers, and security software up to date to close known vulnerabilities that attackers exploit.

By combining vigilance with layered defenses, organizations can thwart the Oyster backdoor’s attempts to establish a covert presence on their systems.

Conclusion

The Oyster backdoor campaign stands as a stark reminder that attackers will weaponize any avenue—be it search engines or third-party advertising—to spread malware. From its early days mimicking PuTTY installers to the latest wave of fake Microsoft Teams and Google Meet downloads, this threat cluster continues to evolve. Financial institutions and corporate networks face heightened risks, as the backdoor often serves as an initial gateway for ransomware operators.

Defeating this campaign demands a combination of user education, stringent download policies, and robust technical controls. Always procure software directly from official sources, validate digital signatures, and implement layered security measures like EDR and network segmentation. Staying informed about emerging tactics—such as those employed by the Oyster backdoor—is critical for maintaining a strong security posture throughout 2026 and beyond.

FAQ

What is the Oyster backdoor?

The Oyster backdoor, also known as Broomstick or CleanUpLoader, is a stealthy malware payload designed to grant attackers persistent access to infected machines. It often spreads via counterfeit installers for legitimate software tools.

How does SEO poisoning contribute to malware distribution?

SEO poisoning manipulates search engine algorithms, ensuring malicious websites appear prominently in search results. Users searching for popular software downloads may be redirected to dangerous pages that host malware installers.

Can code-signing certificates be trusted?

Generally, code-signing certificates indicate a file’s source and integrity. However, attackers can obtain certificates from small or compromised entities, making it essential to verify the issuer’s legitimacy and certificate status.

What immediate steps should I take if I suspect an infection?

If you believe your system is infected with the Oyster backdoor, disconnect from the network, run a full EDR scan, and consult with your incident response team. Check for suspicious scheduled tasks named “AlphaSecurity” and remove any unauthorized DLL files.

Are there any specific security tools recommended to detect this backdoor?

Advanced Endpoint Detection and Response (EDR) platforms are particularly effective at catching the Oyster backdoor, as they monitor for fileless techniques, scheduled task anomalies, and unusual DLL injections. Combining EDR with web and email gateway filtering offers comprehensive protection.

Why are financial organizations prime targets?

Financial institutions handle sensitive data and large transactions, making them lucrative targets. Attackers use the Oyster backdoor as an initial access tool before deploying ransomware or exfiltrating confidential information, potentially causing severe financial and reputational harm.

What trends can we expect in 2026 regarding this threat?

Researchers predict the Oyster backdoor campaign will intensify through 2026, with increasing use of AI-driven malvertising and more sophisticated obfuscation techniques. Organizations should remain vigilant, continually update their defenses, and monitor threat intelligence feeds for emerging indicators of compromise.